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Jlj ■ Abstract. We present a tight security analysis of the Bennett-Brassard 1984 protocol 

2 ■ taking into account the finite size effect of key distillation, and achieving unconditional 

^H security. We begin by presenting a concise analysis utilizing the normal approximation 

of the hypergeometric function. Then next we show that a similarly tight bound can 

»vj . also be obtained by a rigorous argument without relying on any approximation. 

^ ■ In particular, for the convenience of experimentalists who wish to evaluate the 

0^ . security of their QKD systems, we also give explicit procedures of our key distillation, 

Jyi , and also show how to calculate the secret key rate and the security parameter from 



f*"*) ■ a given set of experimental parameters. Besides the exact values of key rates and 



l> 



security parameters, we also present how to obtain their rough estimates using the 



f^ I normal approximation. 
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1. Introduction 

The finite size effect is an important issue in practical quantum key distribution (QKD) 
systems. The first detailed finite-size analysis for general coherent attacks was given 
by Hayashi [1] using the normal approximation. Later, Scarani and Renner |2] gave a 
simple analysis based on the quantum de Finetti Theorem, but their results are valid 
only against collective attacks. Matsumoto and Uyematsu also gave a simple analysis 
[3], but again, essentially valid only for collective attacks. Later, Tomamichel et al. 
[1] gave a tighter bound with unconditional security by using the uncertainty relations 
(see., e.g., [SIE]). 

In this paper, we present a concise analysis for the Bennett-Brassard 1984 (BB84) 
protocol [7] that takes the finite key effect into account and yields better key generation 
rates, with and without relying on the normal approximation. Our analysis is valid for 
general coherent attacks and thus our results guarantee the unconditional security. For 
the sake of simplicity, we consider the case where the sender, Alice, has a perfect single 
photon source. We also assume that Alice and the receiver. Bob, calculate an upper 
bound on the phase error rate of a sifted key, from that of the corresponding sample bits; 
hence the key generation rate can vary each time Alice and Bob run of the protocol. 

Throughout the paper we use the security criteria with universal composability; 
the same criteria as used by many researcher, particularly by Renner and his coworkers 
[H |9]. Hence our final goal is to show that the trace distance between the actual and 
the ideal states can be bounded from above. However, in the mathematical analysis for 
obtaining upper bounds on the trace distance, we do not use Renner's approach based 
on the smooth minimum entropy [8j. Instead, we bound the trace distance using the 
argument by Shor and Preskill [10] , as well as its modification by Hayashi [1] . In Section 
[31 by using these formalisms, we show that the trace distance can be bounded by using 
the decoding error probability Pph of the virtual phase error correction; in other words, 
the universally composable security can be guaranteed by bounding Pph. To the best 
of our knowledge, our argument here is the first rigorous treatment of the universally 
composable security based on the Shor-Preskill formalism, applicable to linear universal 
hash functions with variable final key lengths. 

As we shall also discuss at the end of Section [3], in order to achieve high key 
generation rates and strong bounds on Pph simultaneously, it is crucial to estimate the 
phase error rate psft of the sifted key with a high accuracy. Note here that the quantity 
Psft cannot be measured directly in the BB84 protocol. Hence in Section HJ we solve an 
interval estimation problem on psft using the hypergeo metric distribution Phg. Then by 
using the obtained result, we give explicit bounds on Pph in Section |5l In particular, 
in order to clarify the argument, we present two versions of analysis: We first derive a 
simple bound that we call the straightforward bounds (Propositions 1 and 2); and then 
next give a more complicated bound called the Gaussian bounds (Theorems 2 and 3), 
which yield a better final key rate if the raw key is sufficiently large. For the both types 
of bounds, we first present a simple analysis based on the normal approximation of the 
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hypergeometric function (Proposition 1 and Theorem 2), and then next show that a 
similarly tight bound can also be obtained by a rigorous argument without relying on 
any approximation (Proposition 2 and Theorem [3]). 

Since this paper is not aimed only at theorists, but also at experimentahsts who 
wish to evaluate the security of their QKD systems, we include explicit procedures of 
security evaluation. We begin in Section [2] by explaining explicit procedures of our key 
distillation. Then after theoretical arguments of the security, we demonstrate in Section 
|6]how to use our theorems to calculate the secret key rate and the security parameter 
(i.e., an upper bound on the trace distance) from a given set of experimental parameters. 
Besides the exact values of key rates and security parameters, we also present how to 
obtain their rough estimates using the normal approximation. 

In order to show that our rates are indeed better than in existing literatures, e.g., 
Refs. [21 H] , we draw in Section [7] example curves of key generation rates (Figs. 1 
and 2). There are several reasons for this improvement. First, our upper bounds are 
close to the approximated value of the hypergeometric distribution obtained by the 
normal approximation, while the existing results [21 H] did not discuss the closeness 
to the normal approximation. Second, in our method, the adversary's information is 
estimated in terms of the Shannon entropy, whereas in [21 S] they use the minimum 
entropy, which is a lower bound on the Shannon entropy. Finally, we use an error 
margin that depends on the measured error rates of sample bits, while in Refs. [21 H] 
the margin is a constant. 

We also treat the sacrifice bit length with the second order coding rate, which 
draws the attention from information theory community [HI [T21 [l3]. The conventional 
asymptotic theory treats the coding length with the first order coefficient. It is 
impossible to treat the approximation value of the best error probability with the first 
order coefficient of the coding length. However, it becomes possible if we consider the 
coding length up to the second order coefficient. In this paper, we derive an asymptotic 
approximation value of the upper bound of the universally composable security criterion 
when the sacrifice bit length is given as the form n/^(psmp) + ^A^fi'(Psmp) with the measured 
phase error rate, where a function g{psmp) of Psmp will be given with a concrete form in 
Section HI (Theorem H]) . 

The differences from our previous papers are as follows. In Refs. pLj, Hayashi 
simply approximated the hypergeometric distribution by the normal distribution having 
the same variance, without showing its validity. In this paper, we present a rigorous 
analysis without relying on any approximation (Proposition 2 and Theorem [3]), by using 
upper bounds on the hypergeometric distribution obtained from the Stirling's formula 
and inequalities proved in Ref . [HI [15] . As mentioned above, we also included the first 
rigorous treatment of the universally composable security based on the Shor-Preskill 
formalism, applicable to linear universal hash functions with variable final key lengths. 
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2. Description of Our QKD Protocol 

We consider the following type of the BB84 protocol. This protocol differs from existing 
versions (e.g., [Il|2l[3]) only in the phase estimation and the privacy amplification steps. 

Generation of a Sifted Key and Sample Bits Alice and Bob start the protocol with a 
quantum communication and obtain a sifted key of n bits and sample bits of / bits. Here 
we assume that raw key bits are chosen from the uniform distribution. The sample bits 
must be selected randomly, and a sifted key and the sample bits must be measured in 
difi^erent bases. 

For example, suppose that Alice and Bob exchange N qubits, choosing the x basis 
with probability q, and the z basis with 1 — q. Then, on average, Nq"^ bits coincide in 
the X basis, and A^(l — g)^ in the z basis. By assinging the x basis for a sifted key, and 
the z basis for sample bits, they have n = Nq^, I = N[l — g)^g| 

Bit Error Correction Bob corrects bit errors in his sifted key using a linear error 
correcting code. For example, as in Shor-Preskill's case [10], Alice may announce a 
random bit string XORed with her sifted key; or alternatively, as in Koashi's case [T6] . 
she may send a syndrome of her sifted key encrypted with a previously shared secret key. 
In either case, Alice and Bob end up with n(l — //^(pbit)) bits of reconciled key k^^ci with 
the bit error rate pbit of a sifted key. Here h{x) is the binary entropy function defined 
as h{x) := — xlogjX — (1 — x) log2(l — x), and value / corresponds to the efficiency of 
the error correcting code used. For practical codes, / ~ 1.1. It should be noted that 
here the sizes of bit error correcting codes are independent of the security, and thus 
Alice and Bob may perform bit error correction by dividing a sifted key /Cgif of n bits to 
arbitrarily smaller blocks. 

In many cases, one needs to guarantee the correctness of the shared keys, that is, 
one has to minimize the probability ecor that Alice's and Bob's secret keys do not match 
and the protocol does not abort. One way for minimizing ecor is that Alice calculates 
an r-bit hash value of her reconciled key /crec using universal2 hash functions. Then she 
encrypts it with the one-time pad using a previously shared secret key, and sends it 
to Bob. Bob also calculates his own hash value, and if it does not match Alice's, they 
abort the protocol^!. By doing this, we have ecor < 2"'^. 

Estimation of the number of phase errors in the channel In order to use privacy 
amplification properly and guarantee the security of a secret key, Alice and Bob need 
to know an upper bound on the number of phase errors occurring in the channel. It 

X In general, however, Alice and Bob may choose bases with different probabilities, and a sifted key 
and sample bits may be chosen with arbitrary proportions ft'om the two basis. 

§ Another possibility is to continue protocol by exchanging supplementary information, such as an 
additional syndrome, over the public channel, and try bit error correction again. In such case, the 
supplementary information also needs to be encrypted with a formerly shared key. 
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should be noted here that the phase error is a completely different concept from the bit 
error mentioned above (for details, see Section [3]). Since the phase error rate cannot 
be measured directly in practical QKD systems, we estimate its upper bound from the 
measured error rate of samples. 

We denote the number of bit errors occurring in a sample bits by c, and the 
corresponding bit error rate by Psmp(c) := c/l. We also call the union of a sifted key 
and the sample bits total bits, and denote the number of their bit errors by k. Hence 
the error rate of total bits is given by p{k) := k/{n + I), and that of a sifted key by 
Psit{k,c) = (/c — c)/n. Note here that measuring c corresponds to randomly sampling 
phase errors in the total bits, because a sifted key and the samples are measured in 
different bases. Due to this fact, the measured value of Psmp(c) is used to estimate an 
upper bound on Psit{k, c). In the asymptotic limit n, I — )■ oo, Alice and Bob may assume 
Ps{t{k, c) = Psmp(c). In practical QKD systems, however, the two values differ in general 
due to statistical fluctuations. Thus they obtain a statistically estimated upper bound of 
Psft{k, c) as a function of the measured value c, which we denote by Psft(c). Throughout 
the paper, we make it a rule to denote an estimated upper bound of a random variable 
V by V. The explicit functional form of Psft,e(c) is discussed later, and is given in Eq. 

(ESD. 

Privacy Amplification (PA) The estimated phase error rate Psft(c) can be used to obtain 
an upper bound the amount of information that is leaked to Eve. In order to cancel 
Eve's information, Alice and Bob perform a classical data processing called privacy 
amplification on the reconciled key k^^c to generate the secret key kgec] very roughly 
speaking, PA randomizes and shrinks kj-^c so that Eve's information is canceled by the 
remaining fraction that is unknown to Eve. The number of bits to be reduced in this 
process (sacrifice bits) is determined from Psft(c) in the following manner. 

We set two limits Cmin and Cmax (cmin < Cmax) ou the sample bit error c, depending 
on which Alice and Bob change their procedures. 

• If Cmax < c, Alice and Bob abort the protocol. 

• If Cmin < c < Cmax, Alicc and Bob generate a secret key as the hash value of their 
sifted key by using a linear and surjective universal2 hash functions. The number 
a(c) of sacrifice bits, i.e., the number of bits reduced in PA, is given by 

a(c)=n[/i(psft,e(c + 2))] + D. 

Here [x] denotes the smallest integer larger than or equal to x. Hence, as a result, 
they obtain a secret key fcsec of G = n [1 — //i(pbit)] — l^h (psft,e(c + 2))] — D bits. 



i 



II Note that key length G of ([2|) differs from the asymptotic case {l,n — >■ co) essentially only in the 
definition of phase error rate Psft,e(c + 2). Hence the estimation of Psh,e{c + 2) is the key point of our 
finite size analysis. 
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• If c < Cjnin, Alice and Bob generate a secret key in the same way as above, except 
that they sacrifice a(c) = [^/i (psft,£(cmin + 2))] + D bits for PA. As a resuh, they 
obtain a secret key ksec of G = n [1 — fh{put)] — \nh (psft,£(cmm + 2))] — D bits. 

Alternatively, we can combine these three case as follows: Define the sacrificed bit length 
a{c) to be 

a(c) = \nh (psft,£ (max[c, Cmm] + 2))] + D. (1) 

If c < Cmax, Alice and Bob sacrifice a{c) bits for PA and obtain the final key of length 

G{c)=n[l-fh{put)]-a{c). (2) 

If c > Cmax 5 they abort the protocol. 

In practice, the most efficient implementation of PA is to use the Toeplitz matrices: 
Alice and Bob select a bit-valued Toeplitz matrix M randomly by communicating over 
the public channel, multiply it with a reconciled key fcrec modulo 2, and obtain the secret 
key ksec = Mk^ec (for details, see., e.g., [81 ITTl fT8] ). 

In this paper, we additionally require the surjectivity for all of hash functions. To 
the best of our knowledge, the most efficient implementation of linear and surjective 
universal2 functions is by using the modified Toeplitz matrix, introduced in [H [17]; in 
this case we replace M above by a concatenation M' = (/, T) of the (square) identity 
matrix I and a Toeplitz matrix T. Note that this modification M' is slightly more 
efficient than M above. Also note that unlike M', the normal Toeplitz matrix M gives 
a non-surjective map with a very small but nonzero probability; e.g., for M being an 
all- zero or all-one matrix. 

It should be noted here that, unlike in bit error correction, one is not allowed to 
perform PA by dividing fcrec and fcgec into smaller blocks, because doing so will destroy 
the universal2 property of the (modified) Toeplitz matrix. Also note here that the both 
key lengths, \k^ec\ = n[l — fh{put)] and |A;sec| = G, are of order 0{n). If one applies a 
naive multiplication algorithm, the computational complexity (i.e., the processing time) 
increases as O(n^) (i.e., 0{n) per key), and thus becomes a severe bottle neck of the key 
distillation. This is in fact the most explicit impact of the finite size effect on practical 
QKD systems. 

One way around this problem is to use an efficient multiplication algorithm for a 
Toeplitz matrix and a vector exploiting the fast Fourier transform (FFT) algorithm (see, 
e.g., [19]). The complexity of this efficient algorithm scales as 0{nlogn), or O(logn) 
per bit, which can be regarded as a constant in practice. An actual implementation 
shows that the throughput exceeds 1Mbps for Ik^ecl = 10^ on software, as demonstrated, 
e.g., in Ref. [18]. 
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total bits 


sifted key 


sample bits 


Number of bits 


n + l 


n 


I 


Number of errors 


k 


k — c 


c 


Error rate 


Pik) = dl 


Psit{k,c)- \^ 


Psmp[C) = 7 


Estimate of error rate 
with error probability e 


Pe{c) 


Psft,£(c) 





Table 1. Notations of the key lengths, total bits, and sample bits. Functions Pe{c) and 
Pstt,e(c) denote the estimated upper bounds oi p{k) and Psft(fc,c), under the condition 
that there are c errors in sample bits. Parameter e denotes the probability that the 
estimation fails. See Section |4] for details. 



3. Security Criteria of the BB84 Protocol in the finite case 



3.1. The security of QKD with universal composability 

We employ the definition of the security of QKD with universal composability in the 
variable length case [20j. In order to guarantee the security for our protocol, we need to 
evaluate the security criteria with universal composability after the privacy amplification 
[9]. In this paper, we apply the above definition with the variable length case to the 
final state after the privacy amplification [21]. 

For this purpose, we describe all public information by x, including the choice of 
a hash function (which corresponds, e.g., to "/" of [9j), and the length of the final 
key (e.g., "m" of [2D])- However, here we do not restrict ourselves with those two 
cases; it may contain other public information, e.g., the choice of a code for bit error 
correction. Hence the length m of the final key is of course a function of x. We denote 
the probabilistic distribution of x in the actual protocol by Ppub(a;)- 

Then we consider the Hilbert space Ha ® T-Le ® Tix, consisting of Alice's final key 
T-La, Eve's system T-Le, and the public information Tix- We define T-La = (C^)^'' with 
M sufficiently large; so that when m(x) < M, Alice uses the (preassigned) subspace 
of Ha- Also, following [8j, we define the composite system of E and X to be E', 
i.e., T-Le' = T-Le ® T-ix- We denote by Pa,e\x the state of Alice and Eve after privacy 
amplification, conditioned on public information x. Hence, the state after privacy 
amplification takes the form pa,e' = "^x ^p^^i^) PAe\x ® k)(a;|. 

In this notation, we consider conditional probabilities with respect to length m of 
the final key. The actual protocol generates the final key of m bits with probability 
Picn{rn) := J2x-m(x)=m^p^b{x). The pubhc information x obeys the conditional 

distribution P{x\m) := p(^l ; hence the conditional actual state given m is a density 



matrix pA,E'\r 



Ex: 



x:m{x)=m 



Ppuh{,x\m)pA,E\x ® |2;)(a;|. The corresponding ideal state 



given m is defined to be pideai|m := P^Wn®PE'\m, where p™,'^ is the completely mixed state 
in the m-qubit subsystem of Ha, and pE'\m '■= T^T^APA,E'\m- Thus, under the condition 
that the final key length is m, the universal compsable security can be guaranteed by 
bounding the trace distance of these two states, i.e., ||pA,_E'|m — Pidcai|m||;^ [9J- 
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Parameter m is a random variable in our protocol; hence following [2U], we 
define the universally composable security by bounding the average trace distance 
Zlm-Pien(H IIPA.B'im ~PMeai|m||i- In this casc, it is Convenient to define pHeai : = 
Xlm -^ien("^)Pideai|m- Then the average trace distance can be rewritten as 

\\PA,E' — Pideallli = 2_^ P\cn{jn) \\PA,E'\rn — PA|m ® PE'\m\\-^ 
m 

= Yl Pp^b{x) \\pa,e\x - Pamx) ® Pe\x\\^ (3) 

X 

- "Y Ppnhix) \\pA,E\x - pA\x'® pE\x\\^ (4) 

X 

+ 'YPpnh{x)\\pA\x-p'^^(^)\\^, (5) 

X 

where pa\x '■= '~^'^ePa,e\x- Hence one may instead bound the sum of the second and 
the third lines. Here we used the fact that Pa,e' = J2xP'p^b{x)pA,E\x ® \x){x\ = 
J2mPyen{m)pA,E'\m for the first equality; and pE'\m = Ex:m(x)=m ^pub(a:|m)pE|^ (g) \x){x\ 
for the second equality. The quantity of ([5]) measures the non-uniformity of Alice's final 
key; i.e., it gives the averaged distance between Alice's partial state pa\x and the ideally 
mixed state PA\m(x)- Note that these two states equal when Alice and Bob choose a 
surjective hash function, because we assume that Alice's raw key obeys the uniform 
distribution. In particular, if Alice and Bob use a hash function family which consists 
only of surjective functions (such as the modified Toeplitz matirices [H [17] mentioned 
in the previous section), it suffices to bound (jlj) only. 

3.2. Decoding error probability of the virtual phase error correction 

We believe that the above definition of security based on the trace distance is the same 
as the one used by Renner and others P [9]. Throughout the paper we employ this 
definition of security. However, in the remaining part where we actually obtain upper 
bounds on the trace distance, we do not use Renner's approach based on the smooth 
minimum entropy [8]. Instead, we bound the trace distance ||pyi,_B|x — Pa\x ® P£;|x||i 
appearing in (jll) using the well-known argument by Shor and Preskill [TO], as well 
as its modification by Hayashi [1]. As we shall see shortly, in these formalisms, the 
trace distance is bounded from above by using the decoding error probability of the 
(virtual) phase error correct ioii^llj which can be identified with the privacy amplification 
in the actual protocol. The first step of the proof is to consider a virtual protocol 
where Alice and Bob correct bit errors as well as phase errors occurring in the quantum 
channel (under Eve's infiuence) by using the Calderbank-Shor-Steane (CSS) code. By 
correcting these two types of errors, Alice and Bob can guarantee that their virtual 
channel (obtained as a result of quantum error correction) is noiseless and decoupled 
from Eve; thus the key they exchange there is unconditionally secure. The second step 
of the proof is to note that, from Eve's view point, this virtual protocol is completely 

% The probability that the (virtual) decoding algorithm fails to give a correct answer. 
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indistinguishable from the actual protocol. By using this indistinguishability, the 
security of the actual protocol follows automatically from that of the virtual protocol. 

In these formalisms, phase error correction in the virtual protocol is transformed 
to a simple classical data processing in the actual protocol. That is, Alice and Bob 
do not need to perform phase error correction in the actual protocol; instead it suffices 
to perform a projection Ci — )■ C1/C2, where Ci, C2 are the classical CSS code. The 
projection Ci — t- C1/C2 is often called privacy amplification (PA). This is why we often 
identify PA with the virtual phase error correction in this papeicJ. (In Ref. [17], we have 
shown that the projection Ci — t- C1/C2 can be replaced by an e-almost dual universal2 
hash function family.) 

The original argument of Shor and Preskill was later improved in Refs. [22l [23] , 
where it was shown that the virtual phase error correction and the bit error correction 
can be discussed separately. In fact the virtual phase error correction is essential for 
guaranteeing security, while the bit error correction is necessary only for equalizing 
Alice's and Bob's final keys. As a result of this observation, the trace distance 
||Pyi,E|x — Pa\x ® pE\x\\i of dl]) can be bounded as [1] 



\\pA,E\x - PA\x ® Pe\x\\-^ < 2V2^/Pp^^, (6) 

where Pph\x denotes the conditional decoding error probability of the virtual phase error 
correction, given public information x. By taking the average of (E]) with respect to x, 
and by noting that the function a 1— )■ ^/a is concave, we have 



J2 Ppub(a;)2V2/?^ < 2v^ /^ P(x)pubPph|x = 2^2/?^' (7) 

X y X 

where Pph denotes the decoding error probability of the virtual phase error correction. 
As to the non-uniformity of the final key given in (j5]), recall that we assumed that 
Alice's random variable obeys the uniform distribution. Then the left over hash lemma 
[21 125] yields 

$^Ppub(a;)||pA|x-PAM.)lli < $^Ppub(a;)2-^, (8) 

X X 

where a{x) is the number of sacrifice bits in the privacy amplification. 
Hence by combining ([3])^®, (El), and (^ we obtain 

a(x)_ 



\PA,E' — Pldeal 



\,<2V2^/P~^+J2Ppuh{x)2-'^. (9) 



In other words, in order to guarantee the security with universal composability, it suffices 
to bound the quantity on the right hand side of ([9]). In particular, as we have noted 
below (IS]), the second term on the right hand side of ([9]) is exactly zero when all of the 
hash functions are surjective; in this case the above inequality is replaced by 



\\PA,E' - Pidcallll < 2V2A/Pph- (10) 

+ However, the actual protocol does not necessarily have a counterpart for any operation in the virtual 
protocol. For example, the actual protocol has no operation corresponding to measurement of the 
syndrome in the virtual protocol. 
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Hence, in order to guarantee the universally composable security, it suffices to bound 

-Pph- 

3.3. Conditional decoding error probability given k 

In this subsection we show that, in order to bound the decoding error probability Pph 
of the virtual phase error correction, it is sufficient to bound Pph|fc for all k, where Pph|fc 
denotes the corresponding conditional probability given k. We also show that a bound 
on Pph|fc can be given in a concise form using the hypergeometric distribution P^g{c\k) 
and binary entropies. 

First note that, without loss of generahty. Eve's eavesdropping strategy can be 
described by the probability distribution QEve{k) of k, which is the number of errors in 
the total bits n + O Then Pph can be rewritten as Pph = ^j^ QEve{k)Pp^k, where Pph|fc 
denotes the conditional decoding error probability given k. 

Next we consider the conditional probability Phg(c|/c) of c given k; i.e., the 
probability that c bits of errors are found in sample bits when there are k errors 
in the total bits. Since sample bits are sampled without replacement, c obeys the 
hypergeometric distribution for a fixed value of k: 

P^.m := A^;^, (11) 

with the average c and the deviation a given by 

In the following, an,i{k)'^ is simplified to cr{k)'^. Hence values of k,c occurs with 
probability QEve{k)Phg{c\k). (Here sample bits are sampled without replacement simply 
because one cannot measure both the phase and the bit values of a qubit simultaneously, 
and thus Alice and Bob cannot reuse the sample bits as a sifted key. If one could 
somehow sample them with replacements, the hypergeometric distribution here would 
of course be replaced by the binomial distribution, which is much simpler.) 

Finally we consider the conditional decoding error probability Pph|fc,c for fixed values 
of k and c. In this case, the number of phase error patterns of total bits is bounded 
from above by 2"'*(('^~'^)/") (see, e.g.. Lemma 4.2.2, Ref. [29]). Due to the construction of 
the procotocl, the number of the sacrificed bits a{c) is fixed. As we have shown in Ref. 
[T7] , if Alice and Bob use a linear universal2 hash function family for PA in the actual 
protocol, it can be considered as the situation in the virtual protocol where they use a 
2-almost universal2 linear code family for phase error correction (i.e., a linear 2-almost 
universal2 hash function family is used as the syndrome function for correcting phase 
errors). Then the decoding error probability Pph|fc,c of the virtual phase error correction 

* In the general setting, Eve is allowed to use the superposition among different intgers k. In order to 
treat such a case, we introduce the distribution QEve{k) here. 
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can be bounded as 

Pp^k,c < S^k, c) := 2 ■ 2[^('=''=)r = 2^9ik,c)r+i^ (I3) 

g{k, c) : = nh {{k — c)/n) — a{c) 

= nh {{k - c)/n) - nh {p,ft{c + 2))-D (14) 

= nh {ps{c{k, c)) - nh (psft(c + 2)) - D, 

where [x]~ := min(x, 0). It is easy to see that Inequahty (fT3|) holds when the completely 
random matrices (a type of universal2 hash functions) are used for PA, as in Koashi's 
case pro]. It is also shown to hold when the Toeplitz matrices (another universal2 
hash function family) are used for PA, by using the fact that dual matrices of the 
Toeplitz matrices generate universal2 hash functions [Ij. More generally, in Ref. [T7] . 
we have further shown that Inequality ( !T3|) is valid when an arbitrary family of universal2 
functions is used for PA. 

Hence, to summarize, under Eve's strategy QEve{k), error numbers k,c are 
distributed by QEvc{k)Piig{c\k). For fixed values of k, c, the virtual phase error correction 
fails with a probability less than Spa{k,c) given in ( !T3|) . Combining these probabilities, 
we see that the decoding error probability Pph of the virtual phase correction can be 
bounded as 

^ph = "^ QEvcik)Pph\i, < X] X] QEvcik)Phg{c\k)Spi,{k, c) (15) 

k k c 

= y^^Eve(/^)5'av(A;) < maxS'av(/c), (16) 

' ' k 

k 

where Sav{k) is defined by 

Cm ax 

'^av(A;):=5^Phg(c|A;)5pa(A;,c). (17) 

c=0 

Since Eve's strategy QEve{k) can be arbitrary, Pph can be bounded if and only if 
maxfc 5'av(/c) is bounded. Hence in what follows, we will concentrate on obtaining upper 
bounds on max^ Sa_v{k). 

As one can see from the definition of Spg,{k, c) in ( IT3|) . (Ill]), a straightforward way 
of minimizing max^ S'av(/i;) is to define the function Psft(c) so that it always gives a large 
value; this corresponds to the situation where, looking at c, Alice and Bob always give a 
pessimistic estimate Psft(c) that is much larger than the actual value Pshik, c). However, 
as one can see from the definition of a{c) in ([T]) and the final key length G given in the 
previous section, a large Psft(c) results in a poor key generation rate. Rather, in order to 
achieve high key generation rates and the high-level security simultaneously, one needs 
to minimize maxk Sav{k) by considering the contributions of the two factors, Phg{k\c) 
and Spa_{k, c). Hence we define Psft(c) so that it becomes as close as possible (and larger) 
to the actual value Psft{k, a), in the regions of k, a where Phg{c\k) is not negligible. This 
is equivalent to the estimation problem of an upper bound of Psitik, c): 
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(i) For a given c, we give a suitable choice of the estimated value Psft(c) for the phase 
error rate of a sifted key. Alice and Bob use this value to calculate the value of a{c) 
of (II]), and obtain the final key length G. This will be done in Section HI 

(ii) With the suitable choice of psft(c), we obtain a universal upper bound on the RHS 
of fITTj) that is independent of fc, and thus an upper bound of Ppilj. This will be 
done in Section [H 

4. Upper confidence limit on the phase error rate Psit{k,c) 

Now let us turn to the definition of psft(c). As mentioned above, since length / of sample 
bits is finite in practical QKD systems, the phase error rate of a sifted key Psft{k,c) 
deviates from that of sample bits, Psmp(c), due to statistical fluctuations. Hence, in 
order to guarantee the security by privacy amplification, instead of Psmp(c), one needs 
to use the estimated upper bound Psft(c) oi Ps{t{k,c), defined with the statistical effect 
taken into account. 

As long as Ps{t{k, c) is estimated larger than the actual value, i.e., Psft(c) > Psft{k, c), 
there is no loss of security, because then, more information is erased by the privacy 
amplification than is actually leaked to Eve. On the other hand, however, one needs to 
avoid a situation where psit{k,c) is estimated smaller as Psft(c) < Ps{t{k,c). In such a 
case, the privacy amplification of the previous section does not work since [g{k, c)]" = 0. 
Hence, at least as a necessary condition, the function psft needs to satisfy that 

Pffc { c I psft(c) > Psit{k, c) } > 1 -e for Vfc, (18) 

where PTk{c\Q} denotes the probability that c occurs satisfying a condition Q, under 
the hypergeometric distribution Phg(c|/i;). In order to maximize the key generation rate 
for fixed values of l,n, we wish to minimize Psft(c) as small as possible. In statistics, 
this corresponds to an interval estimation problem. That is, finding Psft(c) satisfying 
( TT8|) is to obtain an upper confidence limit on Psit{k, c) from an observed value of c, with 
significance level e (see, e.g., [27]). 

In the following, we derive the minimum estimate Psit,e{c) = Psft(c) satisfying 
the condition (IT8l) under the normal approximation of Phg(c|/c) by employing interval 
estimation of k. Although there is a standard procedure found in every textbook for 
this analysis (e.g., |27j), we reproduce it below for the sake of explanation. First we 
define the normal distribution function by 

^x) := -= / exp(-yV2)rf|/, (19) 

and s{e) as the deviation corresponding to e, e.g., 

s{e) = ^~\e) (20) 

tt A similar analysis was given by Fung et al. [26] . However, they seem to evaluate Phg(c|fc)5pa(fc,c) 
without the summation. This corresponds to the probability that a certain set of values k and c occur 
and then the virtual phase error correction by Alice and Bob fails. 
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such that e = $(5(5)). In what follows, we often abbreviate s{e) to s. Then, by applying 
the normal approximation to P^g{c\k), we have the relation 

FTk{c \c>c{k)-s{6)a{k) }>l-e (21) 

for any integer k; that is, c > c{k) — s{e)a{k) holds at least with probability 1 —e for any 
integer k. Note that this condition is equivalent to (c — c(A;))^ < s(e)^cr(A;)^ or c > c{k). 
We rewrite this condition further as 

(Psmp - pf < 47p(l -p), or psmp > P (22) 

where p = k/{n + /), Psmp(c) = c//, and 

The condition (!22|) is equivalent to p < Pe(c), where Pe(c) is a solution of 

(Psmp -Pef = 47^^(1 - Pe) glVCU by 

^^^^^ •= XI 4 ( ^'^"ip + 27 + 2^7 {Psmp (1 - Psmp) + 7} 1 • (24) 

That is, k/{n + I) = p < Pe{c) holds at least with probability 1 — e for any integer k. 
In other words, the rate Ps{c) gives the upper bound of one-sided interval estimation of 
p = k/{n + /). Using this estimate, we define another function 

Psft,e(c) := {Pe{c){n + 1)- c)/n = ^ — . (25) 

n 

Then, again, the inequality Psit,e{c) > Psit{k, c) = {k—c)/n holds at least with probability 

1 — e for any integer k. As a result, by choosing Psft(c) as psft,e(c), we can satisfy the 

condition ( [T8|) . Throughout the paper, we will use these definitions of ^^(c) and Psft,e(c) 

in calculating a(c). 

Now two remarks are in order. First, if there are sufficiently many samples 

(i.e., with / large and thus 7 sufficiently small), the error number c has roughly the 

same distribution, irrespective of whether the samples are picked up with or without 

replacement. In such a case, as we mentioned under Eq. (fT2|) . the hypergeometric 

distribution Phg(c|/i;) can be approximated by the binomial distribution. Indeed, to the 

first order of .^7, the estimated value Pe(c) of Eq. f l2^ can be approximated as 



Pe{c) ^ Psmp(c) + ■jJ ,i_^ ^hu 



= Psmp(c) + yW^— y— YY/Psmp(c)(l -Psmp(c)), 

where o"bin(c) := \/lpsmpic){l — Psmp(c)) denotes the deviation of the binomial 
distribution with the error rate of the sample bits being Psmp(c) = c/l. Furthermore, 
by using the inequality Psmp(c) + f ^/^^ri o"bin(c) < Psmp(c) + fabin(c), and by noting 
that the larger Pe{c) always gives better a security bound, we can instead use a simpler 
approximation given by 

Pe{c) ^ Psmp(c) + yCrbin(c), (26) 
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The approximated upper bound of (12^ can also be obtained by an argument similar to 
the above, with the hypergeometric distribution replaced by the binomial distribution. 
This means that, for / sufficiently large, one can conclude that the phase error rate 
p{k, c) of the total bits can be bounded from above by Pe(c) of (126|) . which is simply the 
measured error rate Psmp(c) of the samples, plus s times its standard deviation fcrbm- 
The actual value deviates this bound only with a probability less than $(s); or in other 
words, this estimation fails only with a probability less than $(s). 

5. Upper bounds on the decoding error probability Pph 

Throughout the paper, we assume that Alice and Bob perform the protocol specified in 
Section [2], using the estimated upper bound Psft,e(c) of flMl) and fl25|) . obtained in the 
previous section. That is, we here substitute Psft,e(c) for Psft(c) in ([1]), and as a result 
of that, Alice and Bob use sacrifice bits of a{c) = h (]3sft,£(max[c, Cmin])) + D in the PA 
step. In this setting, we evaluate the decoding error probability evaluate Pph and obtain 
several upper bounds. 

5.1. The Straightforward Upper Bounds 

In Section [331 we showed that, in order to bound Pph, it suffices to bound Sa_v{k) of ( ITTl) 
for all values of k. In this subsection, we first present a simple evaluation of Pph, where 
we divide the summation S'av(fc), given in (ITTIl . into two regions of c. This method is 
similar to those used in preceding literature [H E] , and we call it here the straightforward 
method. 

For each value of k, we set the boundary value Cbnd(^) '■= [(^{k) — S(y{k)\ , and divide 
the summation of (TT7|) as 

Cm ax 

SUk)= $^i^hg(c|A:)V(^,c) (27) 

c=0 

[c{k)-sa{k)i 



n:iax 



< Yl ^hg(c|A;)+ Yl Pi.,{c\k)S,,{k,c) (28) 

C=0 C=[c(fc)-S(T(fc)J+l 

[c(fc)-so-(fc)J 

< V Phg(c|A;)+ max Sp^{k,c). (29) 

— "( ce[c(fc)--SCT(fc),Cmax] 

(In what follows, we often write c, a, s instead of c{k), cr^k), s{e).) Then, by using 
the properties of psft,e{c) given in the preceding section, the two terms of ( l29l) can be 
evaluated as follows: 

(i) The first summation of fl29l) is the probability Pr^ { c | c < c(/c) — s{e)(7{k) }. As 
we have shown in the preceding section, this term is less than e (see ( l2Ti) ). if one 
applies the normal approximation to Phg(c|A;). To put it more explicitly, apply the 
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normal approximation of the form: 

j^PUc\k)c^^t\-^l'dx (30) 

c=a * •»" 

with Cc '■= {c — c{k))/a{k). Then it follows that the first term of (l29l) is less than 
$(s(£:)) = £, where $(s) is the normal distribution function given in flT9|) . 

(ii) In the second term of fl29l) . the function S'pa(fc, c) = 2'^^'^''^-*] ^^ is maximized at 
c = c{k) — sa{k), because g{k,c), defined in ( !T4|) . is decreasing with c. Also note 
that 

Psft,e(c(/i;) - sor(/i;)) = psft{k, c{k) - scr(/i;)) 

holds by the definition of Psft,e(c), given in f l24|) and fl25|)Jttl Thus from f fT4|) . we 
have 

g (fc, c(A;) — scr(A;)) = nh {ps{t{k, c{k) — sa{k))) — a (c{k) — sa{k)) 
< nh {psft{k, c{k) - sa{k))) - nh {psft,e {c{k) - sa{k))) - D = -D 

For the inequality of the second line, we used the fact that a{c) = 
/i (Psft,e(max[c, Cmin] + 2)) > /i (psft,e(c)). This means that the second summation 
of (129|) can be bounded by 2^^+^. We remark that, unlike the first term of (129|) . 
this upper bound is valid without relying on the normal approximation. 

Note here that the both bounds are valid for all values of k. Hence by combining these 
two upper bounds, we obtain the following proposition. 

Proposition 1 For a given e (and the corresponding s{e) = ^~^{e)), suppose that 
Cmin ^ Cinax; ^^^^ that AHcc and Bob perform the QKD protocol specified in Section [H 
Then by applying the normal approximation to Phg(c|fc), Pph can be bounded as 

Pph < max Sav(/£) <e + 2-^+\ (31) 

If one wishes to bound Pph by a certain value, say Pmax, a convenient choice 
of parameters is e = 2^^+^ = |Pmax, or equivalently, D = 2 — log2 Pmax and 
s = $~^(e) = $^^ (|Pmax)ltl Then Inequality ( ITU]) guarantees that the trace distance 
is bounded as ||pa,£;' — Pidcailli < '^V^V Pms^x, if Alice and Bob use a universal2 hash 
function family that consists of linear and surjective functions. 

Further, if parameters / and n are sufficiently large, we can also obtain a tight bound 
on the first term of (l29l) without relying on the normal approximation of Phg(c|A;). 

ff In fact, this is exactly the way we planned when we defined Psft,e(c): As mentioned in sentences 
below (|46|) . the function Pe{c) is defined so that the condition p^{c{k) — sa{k)) = p{k) is satisfied for 
all k. This condition is equivalent to Psft,e(c(fc) — sa{k)) = ps{t{k,c{k) — sa{k)), due to definitions of 
Psft,e(c) and Psit{k, c) given in (|25|) and in Table [TJ 

f Of course, the optimal choice is to let e = aPmax and 2^^+^ = (1 — a)Pmax, and then find the optimal 
< a < I that yields the largest key generation rate. However, we do not pursue this optimality in the 
rest of the paper, since varying a contributes very little to the key rate in typical situations. 
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Lemma 1 // |s(e)^ ^ I ^ n, 1 < k, and Cmax ^ 0.12/, we have 

min{[c-SO-J,Cniax) 



n 

c=0 



E/ ,,N in + l s(e)'^ + 2n ,, , , 

Phg(c|fc) < \^—-\\^ e'^^, (32) 



where n := l/(6n) + 1/(12). A'^oie i/iai this bound holds rigorously, without relying on 
the normal approximation of Phg{c\k) . 



This lemma will be proved in Appendix B.3 



Now recall that the upper bound 2~^~^^, obtained above for the second term of (!29|) . 
does not rely on any approximation either. Hence, besides Proposition 1, we can obtain 
another bound on Pph that is similarly tight, and is valid rigorously without relying on 
any approximation: 



Proposition 2 Suppose that ^s{e) <l <n, and Cmax < 0.12/ are satisfied for a given 
e (i.e., with $(s) = e). Also assume that Alice and Boh perform the QKD protocol 
specified in Section\^ Then without using the normal approximation of P\ig{c\k), we 
have 



Pph < maxSa.(fc) < >(^)^ + 2vr /n+|^,^^^_^^,_ ^33^ 

k \ 2 \ n 

5.2. The Upper Bounds by The Gaussian Integration 

In the above analysis of the straightforward bounds, if one wishes to bound Pph by a 
certain value, say Pmax, it is necessary to let D > 1 — loga Pmax- Hence, if one choose a 
very small Pmax in order to achieve a high level security, this D can decrease the final 
key length severely through the sacrificed bit length ([1]). 

In this subsection, we derive improved bounds that holds with D = 1. We call 
them here the Gaussian bounds for the following reason. The first step of the analysis 
is similar to that of the previous section; i.e., we divide the summation of Ss,v{k) as 
in ( l28l) and obtain upper bounds for each term. For the first term of ( l28l) . we use the 
normal approximation ( 130|) again and bound it by e. However, for the second term of 
( l28ll . we employ a quite different strategy: We approximate Phg(A;|c) by using (l30l) . and 
also upper bound Spa,{k,c) by an exponential function of a simple linear function of c 
(specified below in ( l35|) ). By using this simple form, we evaluate the summation over 
c as a Gaussian integral. As a result of this integration, instead of 2~^~^^ appearing in 
the previous subsection, we obtain an upper bound Se on the second term, with 6 being 
small for large l,n. 

In order for this strategy using the Gaussian integration to work properly, parameter 
k must be confined to a specific region. Thus as a preparation, we consider the following 
three cases depending on the value of k: 

(i) If k is too small (i.e., < k < ncmm/^), it can be shown that Spa.{k,c) is always 
bounded by e, by using the properties of g{k, a). Thus Sav{k) < e. 
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(ii) For the intermediate domain where nc^in/l < k < {n + OPsft,e(cmax), the function 
g{k,c) (used for Spi^{k,c) = 2^^^'''''^^ ~^^) can be bounded from above by a simple 
function, i.e., a constant or a hnear function of c. 

(iii) If k is too large (i.e., (n + OPsft,£(cmax) < k), we can also show that S'av(A;) is less 
than Ec=r^hg(c|fc). 



The more precise argument will be given in Appendix C , and we have the following 
theorem. 

Theorem 1 Let D = 1. //cmin < Cmax d'^d 2 < s{e), then S^vik) is bounded from above 
as follows 

• (Case l)IfO<k< nc^i^/l, 

5av(A;) < e. (34) 

• (Case 2) If nc^i^/l < k < {n + OPsft,e(cmax); for an arbitrary possible outcome c, 
we have 

SUk, c) < min (2-/^(-(^-— +1)), l) , (35) 

where 

/3 := J— 4 —h'{psit,e{crm.^))- (36) 

Thus 

min([c-so-J,Cmax) 
c=0 

Cmax 

+ Yl ^hg(c|A;)2-''('=-(^"-^'^)+i). ^37) 

c=[c— scrj+l 

• (Case 3) If {n + /)psft,£(cmax) < k, then Cmax < c — sa holds by the definition of 
Psft,e(c). Hence 

Cmax [c-Sa\ 

SUk)<Y,PUc\k)< J2 ^hg(c|A;). (38) 

c=0 c=0 



(For the proof of this theorem, see Appendix C ) We stress that the normal 



approximation to Phg{c\k) is not yet applied, and thus all inequalities are rigorous at 
this stagqjl 

Then in the rest of this subsection, we will show that the right hand side of each 
inequality of Theorem [1] can be bounded from above by (1 + 6)e, with 6 being smaller 
than one for sufficiently large /, n. In other words, we obtain an upper bound on Sav{k) 
that is valid for all k; and thus an upper bound on Pph (recall the argument of Section 
13. 3p . can be bounded from above by (and thus Pph) from above by e. Let us first discuss 

I It is true that we used the normal approximation in deriving Pstt.e (c) in (j25p and (j24p , and that Pstt.e (c) 
is used in the statement of Theorem [Ij However, in the proof of Theorem 1 we use no approximation; 
thus the theorem holds rigorously, without any approximation. 
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the easier cases, namely, Cases 1 and 3. As mentioned above, for these two cases S^vik) 
can be easily shown to be less than e: For Case 1, it is already proved in Theorem [1] 
For Case 3, if one applies the normal approximation to Phg(c|/c), S'av(fc) is bounded by 
e, as can be seen by the same argument as in the previous section (see the paragraph 
of (130])). 

Hence it remains to evaluate Case 2, where parameter k is restricted as nc^in/l < 
k < {n + OPsft,£(cmax)- As mentioned above, we here show that Sa_^{k) can be rewritten 
as the Gaussian integration in this case. In Inequality ( 1371) . the first term on the 
right hand side can be bounded by e, with the approximation applied to Phg(c|A;). 
For the second term, which is a summation over c, we replace Phg(c|fc) with the the 
normal approximation. In addition to that, we replace Spa,{k, c) appearing in the same 
summation by the right hand side of ( !35l) . Then the summation can be rewritten a 
Gaussian integral: 



E ^hg(c|A;)2- 


/3(c-(c-sa)+l) 




c=[c— so-J 


1 /-(Cmax — c)/(T 


r X^ 1 


~ —= / exp 
V27r J-s 


-—-six + s)Uk) 


1 f^ 


-—-six + s)Uk) 


dx. 


1 1"^ 

V27r i(c,-i)s 


=: h iUk)) , 









(39) 



dx. 



(40) 
(41) 



where 



Uk):={\n2)Pa{k)/s{e). 
Further, in order to bound I2 {ieik)) using e, we introduce the inequalities 

p ^ /^ < $(x) < — e / , 



(42) 



where $(x) is the normal distribution function given in ( TT9l) . (Inequalities ( H2ll will 
also be proved in [Appendix C[ ) By using P2|) . the integral /2 (^e(fc)) can be evaluated 
further as 

VI + 27rs-2 



/2 (e.(A:)) < 



Vl + 27rs 



-2 



-$(.(.)) 



(43) 



e.(^) - 1 ' ' " is{k) - 1 

Note here that oilz) is an increasing function of fc, because ^e(/i;) is. Thus the final term 
of fH3|) is maximized at the lower boundary k = ncmm/l-, and we obtain finally 

VI + 27rs-2 



/2 (e.(A:)) < 



e 



iiiin,e 



-1 



(44) 



with ^j) 



^e(nCmin/0- ^c uow havc the following theorem: 
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Theorem 2 For a given e, suppose that Cmin < c^ax, 2 < s(e) and 1 < ^min,e with 

^min,e := ie{nCm\Jl) (45) 

(n + /)ln2 

^ -/i (Psft,e(Cmax))0^(?2Cmin/f)- 



s(£)/(l + 47) 

Here Psit,s{.c) is defined in Eq. (E^, a in Eq. [IE) , and h'{x) = log2 (^^) ■ Also assume 
that Alice and Bob perform the QKD protocol specified in Section [3 Then with the 
normal approximation applied to Phg{c\k), Pph can be bounded as 



Pph<maxSav(A;)<(l + (5)£, (46) 

k 



where 



S := V^l±^^£(£):!. (47) 

Note here that none of Cmm, Psft,£(cmax) or 7 depends on k or c, which can vary for 
each run of the protocol; thus ^min.e can be calculated as a fixed value specified by the 
protocol. (In other words, ^min,e is the constant and thus calculated at the preparation 
stage prior to the protocol.) 

Further, as we have done in the previous subsection, if parameters / and n are 
sufficiently large, we can also obtain a similarly good bound without relying on the 
normal approximation of Phg(c|fc) (in Eq. (l30l)). By using exact upper bounds on 
Phg(c|/i;) including Lemma [H we obtain the following theorem: 

Theorem 3 Suppose that I < I < n, s^ < Cmin < Cmax < 0.12/, and 1 < ^min are 
satisfied for a given e. Also assume that Alice and Bob perform the QKD protocol 
specified in Section {^ Then without using the normal approximation of Piig{c\k), we 
have 



Pph ^ maXOav("^j S: Pph,e(Cmin, ^jnin,ej; (4c 

k 



where 



/s(e)2 + 27r n + l ^ 




/l + 27rs(£)-2 6^+*^ 

V Cmin 



where /i = l/(6n) + 1/12, z/ = 1/(12/) + l/(2(n + / - 1)). 



The proof of this theorem is given in Appendix D 



5.3. Second Order Asymptotics 

Now, we roughly estimate the relation between the sacrifice bit length and the upper 
bound maxfc5'av(A;) of the phase error. For this purpose, we focus on the asymptotic 
expansion for the sacrifice bit. In the protocol discussed in the above, the sacrifice 
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bit length a(c) is [n/i (psft,.(c + 1))] + 2 with p,ft,,(c) = (^+^)Mc)-ip.n.Ac) ^^^ p^^^^ _ 

j^ (psmp + 27 + 2a/7 {psmp (1 - Psmp) + l}j ■ When the ratio l/n is t, we obtain the 
asymptotic expansion: 

\nh (Psft,e(c + 1))1 +2 = nh (Psmp(Cmin)) + V^fi't(Psmp(Cmin)) + o{^/n),{50) 



where gt{x) := /i' (x) y ^^—^f — ^-^l^)- When we use only the first term in the above 
expansion, the upper bound max^ S'av(/i;) for the phase error converges to zero or one. 
The limit value zero or one cannot be used for the approximation for the upper bound 
maxfc 5'av(A;) because the real value of the upper bound max^ Sav{k) takes a value between 
zero and one, which is different from zero or one. 

However, when we use up to the second order ^/n in the asymptotic expansion of 
a(c), the upper bound max^ S'av(fc) converges to a value between zero and one. In this 
case, we can use the limit for the approximation for the upper bound max^ Savik)- That 
is, by using the above asymptotic expansion, the virtual phase error can be abounded 
as the following way. 

Theorem 4 For a given e, Pmin, and Pmax? we choose Cmm and Cmax as Pmm^ and 
Pmaxi, and assume that l/n = t. Also suppose that Alice and Bob perform the QKD 
protocol specified in Section 2, except that the sacrifice hit length a{c) is less than 
nh {ps^p{c^in)) + VngtiPsmpicmm)) for c G [cmm,Cmax]- Then, the maximum Pph,„,z of 
Sa.v{k) with given n and t can he asymptotically characterized as 

lim maxPph,n,/ < S- (51) 

n— >-oo l:l>tn 



The proof will be given in Appendix E 



6. Hovi^ to use the above formulas to evaluate the security of one's QKD 
system 

In this section we summarize what we have proved so far, and then explain how one can 
use Proposition 1 or 2, or Theorem 2 or 3 to evaluate the security of one's QKD system. 

6.1. Summary of Our Results 

As discussed in Section [3l the standard quantitative measure of the security of QKD 
is the trace distance ||pa,£;' — Pweailli between the actual state Pa,e' and the ideal state 
Pideai, given in ([3]). Inequalities (E]) and ( 1T0|) claim that this trace distance can be 
bounded from above by the averaged decoding error probability Pph of the virtual 
phase error correction. Throughout the paper, we are interested in bounding Pph by 
using the Shor-Preskill's formalism. Also in Section [3l we have shown that in order 
to bound Pph under an arbitrary attack by Eve, it suffices to bound the probability 
maxk Sav{k), with S^vik) defined in ( IT71) (or equivalently, for all k, one needs to bound 
Sa.v{k) by a certain value). Here the function S'av(/c) gives an upper bound on the failure 
probability 5'pa(fc, c) of the virtual phase error correction, averaged with respect to the 
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hypergeometric distribution Phg(c|/i:). Our analyses of Sections H] and O are devoted for 
obtaining an upper bound on max^ Si^^{k). 

In Section m we determined the suitable functional form of the upper bound Psft(c) 
on the phase error rate Psit{k,c) of the sifted key, such that we can achieve high key 
generation rates and the high-level security simultaneously. The function Psft(c) is used 
for calculating the sacrifice bit length a{c) of Eq. ([1]), i.e., the number of bits that needs 
to be erased in privacy amplification (PA). This problem can be reduced to determining 
an upper bound on parameter k, or equivalently, that on the phase error rate Psit{k, c) 
of a sifted key. For this purpose, we derived an upper bound Psft,e(c) of Eqs. (!24l) and 
(1251) on Psit{k, c), as a function of the measured error rate Psmp(c) = c/l of sample bits. 
We here used the standard method of interval estimation, and the upper bound Psft,e(c) 
is defined so that, for any value of k, the undesired case Psft{k, c) > psft,e(c) occurs with 
a probability < e (see Eqs. ( TT8l) and (12T1)). 

Then in Section [5l by using this Psit,e{c) and the corresponding sacrificed bit length 
a(c) given in ([T]), we obtained the upper bounds on S^vik) that holds for all k. By the 
argument of the paragraph of flT7|) . this means that we have given upper bounds on Pph. 
For the sake of simplicity, we first gave straightforward bounds in Proposition 1 (with 
the approximated values of the hypergeometric distribution Phg(c|/c)) and Proposition 2 
(without any approximation). Next we gave the other bounds exploiting the properties 
of the Gaussian integration, which yield larger final key length G for sufficiently large 
/,n; namely. Theorem 2 (with the approximated Phg(c|A;)) and Theorem 3 (without any 
approximation) . 

6.2. How to Use The Straightforward Upper Bounds 

6.2.1. The Straightforward Upper Bound With The Normal Approximation (How to Use 
Proposition 1) Here we present how to calculate the secret key length of one's QKD 
system using the straightforward upper bound on Pph obtained in Propositions 1. 

• Preparation steps: 

(i) Determine one's desired upper bound T^ax on trace distance, 
(ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 

gl-fmaxj • 

(iii) Let the confidence limit be e = |Pmax- Then calculate parameter s = $"^(e), 
as the inverse value of the normal distribution function $(a;) (see the definitions 
of $(a;) and s{e) given in f lT9|) . fl20l) l 
(iv) Let D= [2-log2Pmaxl. 
(v) Determine Cmin and Cmax- 
(vi) (Parameter check:) No parameter check is necessary for Proposition 1. 

Under this setting of parameters, one can guarantee that Pph < e + 2"^"*"^ < Pmax, 
by applying the normal approximation to Pi^g{c\k) and by using Proposition 1. Then 
Inequahty (ITUI) guarantees that the trace distance is bounded as ||pa,b' — Pidcailli < 
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2^/2A/Pmax = ^max- (As Specified below, we here assume that Ahce and Bob use a 
universal2 hash function family that consists of linear and surjective functions.) 

• For each run of the protocol: 
(vii) Perform the protocol as specified in Section [2l In particular in the PA step, 
for the calculation of the length a(c) of ([H), use Psit,e{c) defined in Eqs. (l24ll 
and fl25|) . as well as parameters s and D obtained in the preparation steps 
aboveljj Then use a universal2 hash function family that consists of linear and 
surjective functions, to convert the reconciled key to the secret key. 

As noted in Section [21 as a result of this protocol, Alice and Bob obtain the final key of 
length G = n-^cc — tt(c) with a(c) given in ([T]), and rirec being the reconciled key length. 
If an error correcting code with efficiency / is used, we have n^^^ = n{l — fh{p\^ix))i with 
Pbit being the bit error rate of the sifted key. Thus Alice and Bob obtain the final key 
of length G, given in ([2]). 

6.2.2. The Straightforward Upper Bound Without Any Approximation (How to Use 
Proposition 2) By using Proposition 2, an exact upper bound on Pph can be obtained, 
without relying on the normal approximation of Phg(c|fc). In this case all the steps are 
the same as those given in Section [6.2.11 except for Steps ([m]) and (IvTI) : 

(Imt ) Choose parameter s such that 



n + l /s2 + 27r „^, , 1^ 

is satified, where /i = l/(6ra) + 1/12. 
(IvT! ) (Parameter check:) Check that |s^ < I < n and Cmax < 0.12/ are satisfied. If not, 
set Tjnax smaller and restart from Step (i). 

As a result of Step dUII), we have e = $(s(£:)) < s^^ x |Pmax- This means that, for 
a fixed value of Pmax, one needs to choose e = $(s(e)) to be smaller than that obtained 
in Section [6.2.1[ by a factor of s^^. As a result, s also turns out to be larger, one ends up 
with a smaller final key length. Note, however, that such increment of s is negligible for 

1 2 

sufficiently large s (e.g., for s > 10), because $(s) scales as e~2* and thus a very small 
increment of s compensates the factor of s~^ in front of |Pmax- Hence the decrement in 
the final key length is very small. We will demonstrate this fact in the next section by 
a numerical calculation in Section 17.31 

6.3. How to Use The Upper Bounds by The Gaussian Integration (How to Use 
Theorems 2 and 3) 

As mentioned in Section 15. 2[ if parameters I and n are sufficiently large, we can set 
D = 1 and still obtain similarly tight bounds on Pph as given in Theorems 2 and 3; 

f Throughout this section, we neglect the deviation of Z, n from their averages when the bases x, z are 
chosen with a constant probabihty, and assume that they are constant. 
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thereby we can improve the final key length G. For these cases too, we summarize how 
to calculate the secret key length of one's QKD system. 

6.3.1. The Gaussian Bound With The Normal Approximation (How to Use The Bound 
of Theorem 2) For Theorem 2, the preparation steps are modified as follows: 

• Preparation steps: 

(i) Determine one's desired upper bound on trace distance Tmax- 
(ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 



gi-tmax. 



2 



(iii) Set the confidence limit e to be slightly smaller than Pmax- (For example, 
if l,n are sufficiently large, e = 0.9Pph is usually sufficient.) Then calculate 
parameter s = ^~^{e), as the inverse value of the normal distribution function 
$(x) given in ( fT9l) . 

(iv) Let D = 1. 

(v) Determine Cmin and Cmax, such that the conditions in the first sentence of 
Theorem 2 are all satisfied. 

(vi) (Parameter Check:) Check if 6 is small enough so that Inequality f H6|) is 
satisfied. If not, go back to Step ( Inil) and set e smaller. 

After these preparation steps, Alice and Bob run the protocol as in previous 
sections. That is, they run the protocol as specified in Step (Iviip of Section 16.2. 1[ 

6.3.2. The Gaussian Bound Without The Normal Approximation (How to Use The 
Bound of TheoremW^ As we have done for the case of the straightforward bounds, we 
also obtained in Theorem [3] the exact version of the Gaussian bound that does not rely 
on the normal approximation of Phg(c|A;). This theorem was derived using essentially 
the same idea as Theorem 2 and achieves a similarly tight bound, but it does not rely 
on any approximation. 

For Theorem [3l the preparation steps are the same as Theorem 2 (i.e., the same as 
in Section [6.3. II) . except for Steps (jvj) and (lvi|) : 

(EI') Determine Cmm and Cmax, such that the conditions in the first sentence of Theorem 
[3] are all satisfied. 

IvTl') (Parameter Check:) Check if 5' is small enough so that Inequality fH9l) is satisfied. 
If not, go back to Step dm]) and set e smaller. 

After these preparation steps, Alice and Bob run the protocol as in previous 
sections. That is, they run the protocol as specified in Step (Iviil) of Section 16.2. 1[ 

6.4. Rough Estimate of The Key Rate and The Security Parameter 

We note here that if /, n are sufficiently large, parameters 7 and 5 becomes sufficiently 
small, and the approximate evaluation of the key length G of ([2]) can be greatly 
simplified. 
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As one can see from Steps (i) and (ii) of Section 16. 3[ bounding Pph is enough for 
the security. If 6 is sufficiently small, then according to Theorem 2 (or or Step (iii) of 
Section [6l3l) . Pph can be bounded approximately by e, which determines the value of 
Psft,e(c) via Eqs. (^^ and (125|) . Then as we discussed in the paragraph of Eq. (126|) . 
if 7 is sufficiently small, psft,e(c) = ^Pe{c) — ^Psmp(c) can be approximated by using 

Pe{c) ~ Psmp(c) + fcrbm(c). 

As a result, if the conditions of the first sentence of Theorem 2 are satisfied for a 
given set of experimental parameters, and if 7 and 6 are sufficiently small, one has the 
following rough estimates. The trace distance is approximately bounded by the square 
root of e as 



\\PA,E — Pidealll < '2^/2^yPp\^, 

Pph < (1 + S)6 - e. 

Parameter s is chosen to be the deviation of the standard deviation, i.e., s = ^~^{e). 
Then this s determines the final key length G as 

G ~?2[l-//i(pbit) -/i(]3sft,e(c))], 

Psft,e(c) = Peic) Psmp(c), 

n n 

Psmp(c) = C/I, 

Pe{c) ^ Psmp(c) + yO-bin(c) 



= Psmp(c) + yY /psmp(c)(l - Psmp(c)). 

We expect that these relation will be useful for experimentalists and theorists who wish 
to obtain a rough estimate of the key length with the finite size effect taken into account. 

7. Numerical results. 

We demonstrate the tightness of our bound with numerical results. We consider a 
quantum channel in the absence of eavesdropper, and assume that it can be described 
as a binary symmetric channel with quantum bit error rate (QBER). 

7.1. Case 1: Basis Choice with Probability q= \ 

First, as a comparison to preceding literature |21ll], we plot key rates for the case where 
Alice and Bob choose the x and the z bases with the equal probability. We present 
two types of evaluations given in Section [6l one is the analysis of Section 16.2.21 using 
the straightforward bound of Proposition 2, the other is that of Section [6.3.21 using the 
Gaussian bound of Theorem 3. Note that both these bounds are derived without using 
the normal approximation; thus the all key generation rates obtained in this subsection 
are rigorous. 

We assume that Alice and Bob choose both the phase basis and the bit basis 
with probability q = 1/2, and thus n = I = N/A. We also assume that Alice 
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and Bob consume r = 40 bits of a previously shared secret key for exchanging the 
hash value, in order to guarantee that ecor < 10~^^ (in the following, these r = 40 
bits will be subtracted from the final key length G). Then we choose Pmax to be 
-Pmax = 0.98 X I X 10~^°, so that the trace distance ||pyi,_B' — pideai||i is guaranteed 
to be less than Tmax = 2 a/2 Pmax = 0.99 x 10"^". By these choices of parameters, we can 
guarantee T^ax + ^cor < 10~^°, which is the same condition as used in Ref. |1]. 

Because r = 40 bits are consumed for guaranteeing that Alice's and Bob's final 
keys are equal, the effective final key length is G{c) — r, with G{c) defined in ([2]). Hence 
in this section, we define the final key rate to be 

H(c) := ^M^ (52) 

n 

= - [n (1 - fh{c/l)) - \nh (]3rft,e(max{c, Cmm} + 2))] - {D + r)] . 
The efficiency of bit error correction is chosen to be / = 1.1. 

7.1.1. The Straightforward Bound With the above choices of parameters, we perform 
the analysis of Section 16. 2. 2^ and obtain the corresponding final key rate R. Here we 
restrict ourselves to the case where parameters l,n satisfy 125 < I = n. Parameters 
Pmax and Tmax are already specified above. As to parameter s, we follow Step (iii') and 
let s = 9.9, so that 



According to Step (iv), we choose D = \2 — loggPmax] = 79; next according to Step 
(v), Cmin = 0.01/ and Cmax = 0.12/. It is easy to verify that all these parameters are 
compatible with the parameter checks of Step (vi'). 

Then we assume that Alice and Bob perform the BB84 protocol (i.e.. Step (vii)), in 
the quantum channels with QBER = 1%, 2.5%, and 5%. The corresponding key rates 
R{c) (with c = I X QBER) are shown in bold curves in Fig. [H versus n + I. 

7.1.2. The Gaussian Bound For the same choice of parameters q,r,P^Six,D, and for 
the same ratio of Cmax = 0.12/ with respect to /, we perform the analysis of Section 
16.3.21 The remaining parameters to be fixed are s and Cmin! hence we here numerically 
calculate the pairs of s and Cmin that gives the best key rate P(c). That is, we first fix / 
and n, and then search for the pair of s and Cmin that is compatible with the parameter 
check and gives the largest P(c). (This corresponds to repeating Steps (iii) through 
(vi') of Section [6. 3. 2[ by letting e smaller each time, until the largest key length G{c) is 
obtained.) The results are shown in thin curves in Fig. [H 

As one can see from Fig. [T|, if QBER=5%, the Gaussian bound gives better key 
rate than the straightforward bound for all /, n. On the contrary, for smaller QBER 
(1% and 2.5%), the straightforward bound becomes better for l,n c:^ 5000. 

The dots in Fig. [1] represents the key rates obtained by Tomamichel et al. [4j under 
the same condition. It can be clearly seen that our key rates R are better in all parameter 
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regions. For example, Fig. [T] gives R = 0.19 for QBER = 5% and n + I = 10^, while 
Tomamichel et al. gave i? = in this region |1]. As n+l becomes larger, R converge very 
fast to the asymptotic values; all three curves reach more than 80% of the asymptotic 
values at n + / = 2 X 10^. 

In particular, as the key size becomes larger, R converge very fast to the asymptotic 
values, more than 80% of the asymptotic values at n + / = 2 x 10^. As we have noted in 
Section [21 key distillation is quite practical even in this region. That is, the sizes of bit 
error correcting codes are independent of security, and thus Alice and Bob may perform 
bit error correction by dividing a sifted key of n bits to arbitrarily smaller blocks. As to 
privacy amplification, one can use the efficient algorithm for the multiplication of the 
(modified) Toeplitz matrix and a vector. 

R 

1.0 r 



QBER=1% 




r n+l 



Figure 1. (Color online) Key generation rate R — [G — r)/n versus n + l, which is 
the sum of lengths of a sifted key and sample bits. Here we assume that x and the z 
bases are chosen with the equal probability, i.e., q = \. The typical QBER are chosen 
to be 1% (red), 2.5% (blue), and 5% (black). As to the security, we set r = 40 and 
-Pmax < 0.98 X i X 10~^°, so that Tmax + Ecorr < 10"^°. That is, the sum of the trace 
distance and ecor is less than 10~^°. We have used two types of analysis to achieve this 
value of Pmax: The bold curves represent the key rates based on the straightforward 
bound given in Proposition 2 and in Section 16.2.21 The thin curves are based on the 
Gaussian bound given in Theorem [3] and in Section 16.3.21 We stress that these curves 
are obtained without using the normal approximation. Dots of the same color are the 
rates obtained in Figure 2 of Ref. [4] . 
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7.2. Case 2: Optimized Basis Choice with Variable Probability q 

Next, as a more practical setting, we consider the case where Ahce and Bob choose the 
X and the z bases with varying probabihties q, 1 — q (thus, / = q'^N, n = (1 — q)'^N). 
Then we maximize the secret fraction F, defined by 

Fie) = ^4^ (53) 

= — [n{l- fh{c/l)) - \nh (prft,e(max{c, c^m} + 2))] - {D + r)] 

with respect a fixed raw key length A^, where G denotes the final key length. We 
use the analysis of Section 16.3.21 based on the Gaussian bound of Theorem 3 (without 
any approximation); hence again, all the final key rates obtained in this subsection are 
rigorous. We choose parameters Pmax, ^cor are chosen to be the same as in the previous 
subsection. According to Step (iii), we let s{e) = 10.5 so that e = 4.32 x 10^^^ <K Pmax- 
The channel error rates are chosen to be QBER = 1%, 2.5%, and 5%, respectively. 

Under these settings, for each fixed value of A^, we performed numerical simulations 
to select the optimal values of q and Cmm that give the maximum value of F{c). That 
is, we first fix A^, and then search for the pair of q and Cmin that is compatible with 
the parameter check of Step (vi") and gives the largest F{c). The results are shown in 
Figure El 

7.3. Exact Bounds Verses Approximate Bounds 

All the key rates of the previous two subsections are rigorous, in the sense that they 
are obtained without using any approximation. In this final subsection, we demonstrate 
that, for practical parameter regions, the key rates are almost the same, whether one 
uses the analysis based on the normal approximation (i.e.. Proposition 1 and Theorem 
2), or those without any approximation (i.e.. Proposition 2 and Theorem 3). 

In Fig. [HI the solid curve shows R{c) obtained in Section [7.1.11 with QBER=1%. 
On the other hand, the dashed curve in the same figure is the key rate R{c) obtained for 
the same values of QBER and Pmax, ^, l, n by the procedure of Section 16.2.11 hence this 
curve is obtained by using Proposition 1, and thus relies on the normal approximation 
of Phg- Similarly in Fig. [U the solid curve shows F{c) obtained in Section [7.1.21 with 
QBER=5%, whereas the dashed curve is obtained by using Theorem 2, which relies on 
the normal approximation (Here we performed the optimization of s and Cmm)- 

Note that for both of these cases, the exact key rate and approximate key rate 
are almost identical. These results suggest that the simple analysis using the normal 
approximation (i.e.. Proposition 1 or Theorem 2) can be justified for the security 
evaluations of practical QKD systems. 
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Figure 2. (Color online) Secret fraction F = {G — r)/N versus raw key length 
N. Here we assume that Alice and Bob choose the x and the z bases with varying 
probabilities q, 1 — q. The probability q and the minimum errors Cmin are also optimized 
to give maximum F. The typical QBER are chosen to be 1% (red), 2.5% (blue), and 
5% (black). Parameters Pph, Ccor are chosen to be the same as in Figure [U so that 
Tmax + ecorr < 10""^° is Satisfied. 



8. Summary 



In this paper, we presented a concise analysis for the BB84 protocol that takes the finite 
key effect into account and yields better key generation rates, with and without relying 
on the normal approximation. Our results are indeed an improvement of preceding 
literature; as we have shown in Figure [H our analysis give better key generation rates 
R in practical settings than in Refs. [21 H]. 

In order to serve the convenience of experimentalists who wish to evaluate the 
security of their QKD systems, we included explicit procedures of security evaluation in 
Sections |3] and El In particular, in addition to presenting the exact values of key rates 
and security parameters, we also presented how to obtain their rough estimates using 
the normal approximation. 

For the sake of simplicity, we restricted ourselves to the simple case where Alice 
has a perfect single photon source. On the other hand, in order to achieve a long 
communication distance by a practical QKD system using a weak coherent light source, 
decoy pulses are necessary [28j . This situation was analyzed by one of the authors [1] , 
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Figure 3. Solid Curve: tlie same curve as ttie solid curve in Figure 1 with QBER=:1%. 
This curve is obtained by using Proposition 2, without using any approximation. 
Dashed Curve: The final key rate R{c) obtained for the same values of QBER, 
Pma.x,r,l,n, using the straightforward bounds of Proposition 1; hence this curve is 
obtained using the normal approximation. Note that the two curves are almost 
identical. 



relying on the normal approximation. A thorough and exact analysis in this direction 
without any approximation remains as future work. 
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Appendix A. Justification for the restricting the argument to the 
generalized Pauh channel 

The generaUzed Pauli channel is defined to be a channel where the phase error and the 
bit errors occur stochastically (i.e., with a classical probability). It is easy to see that, 
in this setting, the virtual phase error probability Pph after the privacy amplification, 
mentioned in the main text, can clearly be defined. In Ref. [I], it is shown that the 
trace distance can be bounded from above by using Pph. 

Here we demonstrate that, without loss of generality, this argument can be extended 
to the case where the quantum channel A between Alice and Bob is arbitrary and 
general. First, we consider the discrete twirling. For ra-bits sequence x = {xi, . . . , x„) 
and z = (xi, . . . , z„), define the unitary matrix U{x^ z) := {X^^ ®X^'^®- ■ ■®X^"){Z^'^ ® 
Z^'^ (g) ■ ■ ■ (g) Z^"), where X is the bit flip operator and Z the phase flip operator. 
Then, the discrete twirling of A is defined as A := ^^2~^"Az, where z = {x,z) and 
Ax,z(p) := U{x, z)A{U{x,z)pU{x, z)'')U{x,zy . In this paper, we treat the phase error 
and the bit error of the channel A due to the following reason. 

Now, we denote the final state and the ideal state with the public information x 
by Pa,e'\x{-A) and pidoai|a;(A) when the channel between Alice and Bob is A. Hence, 
our security criterion is J2x^p^b(^)\\PAE'\x{-A) — Pideai|x(A)||i. Indeed, the distribution 
Ppuh{x) depends on the channel A in general, however, it does not change even if the 
channel is replaced by A^ because the initial random variable is uniform and the hash 
function and error correction are linear. Also for the same reason, we have ||pA,£'|a;(A) ~ 
Pideai|a;(A)||i = \\pA,E'\xiAz) " Pideai|x(Az) || 1- The state Z^^ 2"^>A,£'|x(Az) ®J_z)(z| and 
^^2~^"'Pideai|a;(Az)®|z)(z| cau be regarded as the state p^^£;/|j,( A) and pideai|x(A) because 
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the classical information z can be treated as a part of Eve's system with the channel A. 
Hence, 

^ Ppnhix)\\pA,E'\xi^) -pidcal|x(A)||l 

X 

= II ^2"^''^Ppub(a;)||pA,ii;'|x(Az) ® |z)(z| - pideai|x(Az) ® |z)(z|||i 

Z X 

= II X]^P-b(^)ll Zl2"'>A,i?'k(Az) ® |Z)(Z| - 5^2-2>ideal|x(Az) ® |z)(z| 
X z z 

= ^Ppnhix)\\pA,E>\xi^) -Pldeal|x(A)||l. 

X 

Therefore, it is enough to consider the case when the channel is A even if the used 
channel A is not a Pauli channel. 

Appendix B. Proof of Lemma [1] 

In order to prove this lemma, we introduce several new lemmas. In the first part. 



i.e, 



Appendix B.l we derive exact upper bounds on Phg(c|A;) given in terms of / or 



s{e). Then in Appendix B.2 we show that those upper bounds can also be bounded by 



£ = $ ^{s{e)). Finally in Appendix B.3, using the obtained results, we prove Lemma[TJ 



Appendix B.l. Upper Bounds on sums of Phg{c\k) 
Lemma 2 If I < n and -ri < -ri < h 

■' — n+l — n+l — 2 ' 

c 

^Phg(^|A:)</^„M(c), (B.i; 



i=0 



where 



, ^ , n{n + I - k)k 



{n + l){n - k + c){k - c) 
xe'^2"K^)-("+')K^)+'Kf), (B.2) 

Proof: By using the Stirling's formula 

„! = 72^ (-) e^. wth ^—-^ <^n<j^^, (B.4) 



we have 



(fc-J / n{n + l- k)k 



C^O V {n + l){n-k + c){k-c) 
xe'^'2"K^)-("+')K^) 



(B.5) 
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where 

A* '■= ^n ~ ^n-k+c ~ ^k-c ~" ^n+l + ^n+l~k + ^k 
< A„ + Xn+l-k + Afc < h -— 

bn 12 

for ^ < ^ < i and / < n. Combining f IB.SP with ^11=0 G) — 2 ^^'^ (see, e.g., Lemma 
4.2.2 of [29J), we obtain (iRTj) . D 

Lemma 3 For I < n, c < c(k), and -^ < ^ 



2 



Proof: Since h"'{x) decreases monotonically, we have 

h{x) < h{xo) + h'{xo){x - xo) + -h"{xo){x - xof + -h"'{xo) {x - xo)^(B.7) 

2 o 

(Let h{x) be the LHS minus the RHS. It is easy to verify that /i(xo) = h'{xo) = 

h"{xo) = h"'{xo) = and that h"'{x) = h"'{x) — h"'{xo) is a decreasing function. Then 

by integrating h"'{x) three times, one can show that h{x) < 0.) Applying inequahty 

(IB. 711 for Xo = ^ and x = ^, and also for x = y, we have 

1 , „ / k \ n + I , -/, x\2 



i,,„ r k \ ( 1 1 



6 V^ + V l^ /2j V V ; ; 
Since /i"' (;^), c(A;) — c, and n — / are all non-negative by the conditions stated in the 
lemma, the second term on the right hand side is non-positive. Then by noting 
n + Z „ ( k \ _ 1 n + / ^ 1 



nl \n + lj {\n2)a{k)^n + l-l- {\n2)cT{ky'' 

we have Inequality flB.6|) . D 

Lemma 4 If c < c{k), we have 



n{n + l-k)k < /!i±l (B.9) 



{n + l){n — k + c){k — c) V n 

Proof: Let 

n^{n + / — k)k 



C{n^ /, fc, c) 



{n + lYin - k + c){k - c)' 
Then it suffices to show C < 1 for < c < c{k). 

The function /(A;, c) := (ra — A; + c)(A; — c) inside the square root is a concave parabola 
with its vertex at c = k — ^. This means that f{k,c) > mm { f {k,c{k)), f{k,0)}, 
and thus C{n, I, k, c) < max{C(n, /, k, c{k)), C{n, I, k, 0)}. Then it is straightforward to 
verity C{n, I, k, c{k)) = 1 and C{n, I, k, 0) < 1. D 
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Lemma 5 If I <n, 1 < k, c < c{k) and ^ < |, we have 

n + I 1 /c — c{k)^ 



5^Phg(^|A;)<e^^^exp 



i=0 



2 V (r{k) 



Proof: Combine Lemmas [2], [3] and HI D 
Lemma 6 IfO<t, c{k) ~ It < 1/2 and ^7 < i^ 



c{k)-lt 

^ Phg{c\k) < exp 

c=0 

Proof: According to [15] , 



c{k)-lt 
1=0 



2 \n + l 



> P-* / 1 \ i-(p-t)' 



p — tj \1 — (p — t) 

^ilh(p-t)-h{p)+th'ip)] 
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(B.IO) 



(B.ll) 



(B.12) 



where p = ^^ = -^^. Since h"{x) increases monotonically ioi p — t<x<p< 1/2, we 



have 



That is, 



D 



i-ty un 



h{p -t)< h{p) + {-t)h!{p) + ^--^h"{p). 



l[h{p-t)-h{p)+th'{p)]<^^h"{p) 



Appendix B.2. Upper and Lower Bounds on $(x) 

Lemma 7 The normal distribution function, defined in [W\) . is hounded as 

Va;2 + 27r - ^ ' - x 

Proof: According to Ref. [H], the function $(x) satisfies 



^.(x)e-^'/2 < $(x) < ^4(x)e-^'/^ 



where 



9k{x) 



V2k 



{k - l)x + ^/a^~+2k 
Then it is straightforward to show that for k,x > 0, 

Vx^ + 2k - ^ ' - X 
Combining (IB .141) and (IB. 161) . we obtain the lemma. D 



(B.13) 

(B.14) 
(B.15) 

(B.16) 
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Lemma 8 If e = $(s), and 2 < s, 

e-'^ < |. (B.17) 

Proof: From Lemma [3, 



.2 , _,2/2Vs2 + 27r^,^, l{s^ + 27r)e- 



e-^ <e-/^ - ^ Hs) = \l^—^ e. 



s^ 



(5^+277)6-^ ^ 1 



Then by noting ^^ ^ < | for 2 < s, we obtain the lemma. D 

Appendix B. 3. Proof of Lemma U\ 

If k/{n + /) < |, by combining Lemmas |5] and [71 we obtain 



[c—scr] 



E ^hg(^|/c) < ^ 

c=0 



n + / /s2 + 27r 



e'^e. 



On the other hand, if k/{n + /) > |, by Lemma [6l we have 

Cm ax Cm ax 

J2Pt,{c\k)< 5^Phg(c|(n + /)/2) 



c=0 c=0 

< exp 



^/^^H^/."(l/2)' 



^i 



<e"5'<e"-. (B.18) 

Then by using Lemma U\ we have 



£Phg(.|fc)<e-^^^< J^^e. (B.19) 

c=0 

Appendix C. Proof of Theorem 1 

Appendix C.l. Proof of Case 1 

Since Psft(fc, c) = ^<^<^= Psmp(cmin), we have for arbitrary c G [0, /], 
g{k, c) = nh {psitik, c)) - nh {psit,e (max{c + 2, Cmm})) - ^ 

< nh (Psmp(Cmin)) " ^/^ {Psit,s{'^mm)) - D. 

Further, from the concavity of h{x) and from the monotonicity of h'{x), 

g{k,c) < nh' {ps{t,e{Cmin)) [Psmp(Cmin) - Psit,e{<^rnm)] 

< '^/i'feft.elCmax)) [Psmp(Cmin) - Psit,e{'^mm)] ■ 

Then by using Eq. (!25l) and by noting that (psmp — Pe) = 47Pe(l — Pe) (see below Eq. 
), 

g{k, C) < - (n + /)/l'(Psft,£(Cmax)) [^^(Cmin) - J5smp(Cmin)] " ^ 
= - (n + Z)/l'(psft,e(Cmax)) 
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X A/47VPe(Cmin)(l " Pe(Cmin)) - D 
= - (1 + 47)s(e)/3or ((n + /)p,(c,nin)) " /^ 

The last inequality follows by noting that nCmm/l- < (^ + OPe(<^mm) < ('^ + OPelCmax), 
and thus — o" ((n + /)pe(cmax)) < — cr (^Cmin/0- Then by using Lemma [H we have for 
1 < ^min,e and D = 1, 

D 

Appendix C.2. Proof of Case 2 

This part is immediate from the following lemma. 

Lemma 9 Suppose 1 < / < n, 47 < 1. Then, for any integer k, any real number £ > 
and any c G [c{k) — s{e)(j{k), Cmax]; we have 

g{K c) < -/3 (c - {c{k) - s{e)a{k)) + l)-D, (C.l) 

with (3 defined in (E^j- 

Proof: With h{x) being concave, and with Psft,e(c) increasing monotonically, 

g{k, c) < - r2/i'(psft,e(c + 2)) (]3rft,e(c + 2) - Psit{k, c)) - D 

< - n/l'(psft,e(Cmax + 2)) (Psft,e(c + 2) - Psitik, c)) - D. 

The quantity Psft,e(c + 2) — Psitik, c) on the right hand side can be bounded as follows. 
First note Psft,e(c — sa) — Psnik, c — sa) = by the definition of Psft,e(c), given in ^ 



and (123]) . Also by the definition of Psft,e(c), we have that -^|^ > y+F^ ~ n' ^^"^ 
that ^ = -^ by the definition of psft(fc,c); hence ^(psft,e - Psft) > ijir^- Thus 



Psft,£(c - sor + 2) - Psit{k, c- sa + 2) > j^^- Then for c{k) - s{e)cr{k) < c, we have 



1+47 nl ' 

T'^nf^n Tnr ni h\ — e(ci/-rlj 

1+47 nl 

Psft,e(c + 2)-p3ft(fc,c) (C.2) 

= {psit,e{c + 2) - Psft(A;, c + 2)) + (psft(A;, c + 2) - psft(/i;, c)) (C.3) 



D 



Plugging this upper bound on g{k,c) (for D = 1) to Spa_{k,c) (given in (TT^ and 
flT4|) ). we obtain Case 2 of Theorem 1. 
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Appendix D. Proof of Theorem [3] 
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Next we prove Theorem [3] starting from Theorem 1. In the following, s{e) is simphfied 
to s. 

Under the conditions of Case 1 of Theorem 1, inequahty ( 134|) holds independently 
of the normal approximation, and thus we readily see that ( H9l) holds. 



Lemma 10 If I < I < n, I < k, c < c{k) and ;^ < 1/2, we have 



^fl+U 



1 fc-c{k) 

2 V (r{k) 



P\iJc\k) < , — exp 

""^ ' ' - V2^a{{n + l)c/l) 

with fi defined in liB. 3\) . and 

1 1 

^ '~ 121 ^ 2{n + I - 1)' 

Proof: By using the Stirling's formula (lB.4p . we have 

(^\ < / ^ I (.^'2^h{c/l) 

\cj -\ n + l-l,/2^a{{n + l)c/l] 
where 



n + l-ly/2na{{n + l)c/l) 
1 



u' = \i- Xi^c - Ac < Ai < 



12/' 



(D.l) 



(D.2) 



(D.3) 



(D.4) 



Then by combining Inequality (]D.3P with (IB.SP and ( 1B.6P , and by using Lemma HJ we 
obtain 

2" 



Phg(c|/c) < 



e'^^ i2i 



27ra((r2 + /)c//) 



1 + 



ra + Z- 1 



exp 



1 fc-c{k) 

2 V a(A;) 



Then by noting 



1 



1 



n + l-l 
we obtain the lemma. D 



< Wexp 



n + l-l 



exp 



2(n + /-l) 



Lemma 11 If I < n, 1 < Cmm, '"-Cmm/^ < ^; c(A;) — sa{k) < c < c(A;) anc? ^ < 1/2, we 



have 



Phg(c|A;) < 



oM+i^ 



27ra(A;) 



exp 



1 fc-c{k) 

2 V (t(A;) 



(D.5) 



wt/i /i, z/ defined in W. 3\) . W.^) 

Proof: From the definition of cr[k), we have 

(T{k) . 1 



< 



a{k{l-scr{k)/cik))) - ^l-sa{k)/c{k)' 
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By noting that nc^i^/l < k, we have 






< , / ^ f Kn + l) _ ^ 

l{n + l-l) \ nCmin 



n fl{n + I) — nc„ 



< 



< 



l{n + l - 1) \ nCrain 

n fl{n + l-l) 



l{n + / — 1) \ nc^ 
1 



^min 



Hence 1 — ^U^ > 1 — '/^=- The assumption yields that {n + l)c/l > k{l — sa{k)/c{k)), 
which imphes 

a{k) ^ a{k) ^ 1 



a{{n + l)c/l) - a{k{l - sa{k)/c{k))) " /fT 



Combining this inequahty with Lemma [THl we obtain Lemma [TT] D 



Appendix D.l. Proof of Case 2 



If -T7 > \i this case can be proved by exactly the same argument as in Appendix B.3 



(Note here that the condition s^ < Cmm < Cmax < 0.12/, appearing in Theorem 3, implies 
|s^ < /). Hence in this subsection, we assume that ^ < |. We also assume that 1 < fc, 
because the case A; = is already considered in Case 1 of Theorem 1. 
First we divide the right hand side of ( 137|) into three parts. 

Cm ax 

^Phg(c|A;)5pa(A;,c) 

c=0 

\c{k)-sa{k)\ L5(fc)J-l 

< Y. P^M^)+ E Phg(c|A;)5pa(A;,c) 

c=0 c=\c{k)-sa{k)\+l 

Cmax 

+ Y, Pi.g{c\k)Sp,{k,c). (D.6) 

c=lc{k)\ 

The first term on the right hand side can be bounded from above by Lemma 1. The 
second term can be bounded as 

Lc(fc)j-i 

Y Phgic\k)Sp^{k,c) 

c=[c{k)-S(7{k)\ + l 
[c{k) i-1 

c=lc(k)~sa{k)\+l 
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e^+^ 1 

< 



1 £_ y/2TTa{k) 

im\-^ r 1 / -nv 

^ E exp - (^ 

c=[c(fc)-scr(fe)j+i L \ V ; , 

^ 2'f3{c^{c{k)-sa{k))+l) 



1 s_ V27r 



/Cn 
ofJ.+U 



<^^=^iAm)- 



Then J2 ('Ce(^)) appearing in the last hne can be bounded by Inequahty (l44l) . (Note 
that the argument in the paragraph of Inequahty (jUj) does not rely on the normal 
approximation. ) 

The third summation on the right hand side of (ID. 60 can be bounded as 

Cmax"r 1 

c=Lc(fc)J 

CmaxH" 1 

c=Le(fc)J 

Appendix E. Proof of Theorem [H 

First, we fix arbitrary e' > e. Since the function h{x) and its derivative h'{x) are 
uniformly continuous in the range [pmin^Pmax], there exists an integer A^ such that 
rri/i(Psft,.'(c+l))l +1 < \nh (psmp(c)) + V^h' (p3n.p(c)) y^ -p(-)(^-P-p(-))(^+*r ,(g)] for 
n > N and / > tn. Using Theorem 1 of [30], we can choose constants Ci and C2 such 
that Phg(c|A;) < -^ J^^+' e-^^^dx + ^^^^^exp{-C2Cc)- Here note that the constants 
Ci and C2 are different from those defined in Theorem 1 of [30] . 
Using C3 := f^ Ci(l + x^) exp(— C2a;^), we obtain 

E ^ f,: -M-C.C) min {2-/^(-(-^(^H), 1} < ^ (E.l) 

Hence, Theorem [2] yields that 

Pph,n,/ < (1 + 5;)e' + ^ --. (E.2) 

where 5^ is the maxumum of 5 given in Theorem |2] with the condition / > tn. 

Since minH>inmin^^^^^^^<,<(„^,)^^^^^^^,(^p^^^^^))or„,/A;) ^ 00 as n ^ 00, we obtain 

lim„_>.oo max;:;>t„ ^^^T^^^ — — 7^ = 0. Also we can show that 5'^ — )• 0. 

*:"Pmin<'=<("-+')( Pgft g/(ipmax + l)j "' 
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Thus, we obtain lim„_^oo ^^^^i:i>tn Pph,n,i ^ ^'- Since e' is an arbitrary real number 
satisfying that e' > e. Hence, hm„^oo "^^^uytn Pph,n,i < £• □ 



